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Abstract — We consider networks of noisy degraded wiretap 
channels in the presence of an eavesdropper. For the case where 
the eavesdropper can wiretap at most one channel at a time, 
we show that the secrecy capacity region, for a broad class of 
channels and any given network topology and communication 
demands, is equivalent to that of a corresponding network where 
each noisy wiretap channel is replaced by a noiseless wiretap 
channel. Thus in this case there is a separation between wiretap 
channel coding on each channel and secure network coding on 
the resulting noiseless network. We show with an example that 
such separation does not hold when the eavesdropper can access 
multiple channels at the same time, for which case we provide 
upper and lower bounding noiseless networks. 

I. Introduction 

Information theoretically secure (secret) communication in 
the presence of an eavesdropper has been studied under various 
models. One body of literature studies the wiretap channel, 
introduced by Wyner JT|, where the intended receiver and 
the eavesdropper observe outputs of a physical layer channel. 
Another body of literature investigates the secure capacity of 
networks of noise-free links. Under this model, introduced by 
Cai and Yeung in J2], an eavesdropper perfectly observes all 
information traversing a restricted but unknown subset of links. 
The first paper on the secure capacity of a network of noisy 
channels is O, which finds upper and lower bounds on the 
unicast capacity of a network of independent broadcast erasure 
channels when the output observed by the eavesdropper equals 
that of the intended receiver on all wiretapped channels. 

Our work considers the problem of secure communication 
over a network of independent wiretap channels which are 
physically degraded and "simultaneously maximizable" (see 
Definition Q] in Section HQ, and broadens consideration to 
general capacity regions specifying vectors of simultaneously 
achievable rates. We require asymptotically negligible decod- 
ing error probability and information leakage to the eaves- 
dropper, as defined formally in Section [TT] In the case where 
the eavesdropper has access to only one link, the identity of 
which is unknown to the code designer, we show that the 
secrecy capacity region is identical to that of a corresponding 
noiseless network, for any network topology and connection 
types. Thus in this case capacity can be achieved by separate 
design of wiretap channel codes converting each channel to 
a pair of public and confidential noiseless links, and a secure 
network code on the resulting noiseless network. We show 
with an example that such separation does not hold when 
the eavesdropper can access multiple channels at the same 



time, for which case we provide upper and lower bounding 
noiseless networks. Our results bring together and generalize 
the wiretap channel and secure network coding literature, 
allowing application of existing results on secure network 
coding capacity to characterize or bound the secure capacity 
of networks of such wiretap channels. Our work builds on and 
generalizes the techniques developed by Koetter, Effros, and 
Medard in fl4], J5], which show similar capacity bounds in the 
absence of secrecy constraints. We provide below outlines of 
all proofs, details of which are given in the full version of this 
paper J6). 

II. Model and Preliminaries 

Consider a network Q = (V, £ ), where V is the set of nodes 
and £ C V x V x N is a set of directed edges between pairs of 
nodes in the network. Edge (i, j, k) represents the fc th wiretap 
channel through which node i communicates to node j and 
through which an eavesdropper may or may not be listening. 
The total number of nodes in the network is to. The channel 
inputs and outputs for node i at time t are given by 
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where X± and Y t denote the input to and the output from 



: t (e) and Y t {e) 

edge e respectively, and X^ and y( e > denote their alphabets, 
which may be discrete or continuous. We define 

£m{i) = {(u,v,w) £ £ : v = i} 
£ ut(«) ={(u,v,w) £ £ : u = i} 
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Let V{£) denote the power set of the set of all edges. In a 
secure communication problem, an adversarial set A C V(S ) 
is specified. Each set E £ A describes a subset of channels 
over which an eavesdropper may be listening. The code is 
designed to be secure against eavesdropping on the set of 
channels E for every E £ A. When the eavesdropper listens to 
edge e = k), the eavesdropper receives, at each time t, a 

(e) (e) 

degraded version Z t of the channel output Y t observed 
by the intended recipient, which is the output node j of 
edge e = (i,j,k). If the eavesdropper has eavesdropping 
set E £ A, then at time t it receives the set of random 
variables [z[ e ^ : e £ E), which we compactly write as z[ E \ 



, ) of observations from all edges 



The vector (z[ E) 
e £ £ over time steps t G {1, . . . ,n} is denoted by [Z^\ . 
Similarly we define (X^) n = (x[ E) , . . . , X (E) ) and 



(£') 



i 1 n 



where X 
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X t (e) : e G E 



and Y t {E) = (y^ : e G E 

For each e G £ , channel e is a memoryless, time-invariant, 
physically degraded wiretap channel described by a condi- 
tional distribution 

p{y^\z^\x^)=p{y^\x (e) ) -p(z (e) |2/ (e) ). 

All wiretap channels are independent by assumption, giving 



= i[p(y {e) \x ie) H z{e) \y {e) )- 

ees 

We further restrict our attention to channels that are "simulta- 
neously maximizable," as defined below. 

Definition 1: Wiretap channel e is called simultaneously 
maximizable if 
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max I(X^;Y^) 

p(x) 
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max/(X( e );Z( e )) 

p(x) 



and 



max \l{X^;Y^)-I{X^-Z^) 
: max I(X^-Y^) - max IfX^-.Z^). 



The about maximization is subject to any constraints on the 
channel input (e.g., an input power constraint for a Gaus- 
sian channel) associated with the communication network 
of interest. Examples of simultaneously maximizable wiretap 
channels include weakly symmetric channels and Gaussian 
channels J7), J8). Intuitively, restriction to simultaneously 
maximizable channels simplifies our analysis since the same 
input distribution maximizes both the total and secure capacity. 

A code of blocklength n operates over n time steps to 
reliably communicate message 



} 



from each source node i G V to each nonempty set B C V\{i} 
of sink nodes in a manner that guarantees information theoretic 
security in the presence of any eavesdropper E G A. This 
constitutes a unicast connection if \B\ = 1 and a multicast 
connection if \B\ > 1, Constant i?' 1 ™^ is called the trans- 
mission rate from source i to sink set B. The vector of all 
rates R^ B ^ is denoted by R = (i?^ 6 ' : i G V, B G B w ), 
where set fiW = {B : B C V\{i},£ ^ 0} is the set of non- 
empty receiver sets to which node i may wish to transmit. 
Similarly, the vector of all messages is denoted by W = 

Each node i G V also has access to a random variable 



TW G r«={l,...,2" cw } for use in randomized coding 



■)nC (i) 




X (e") 



y(e) _ (y(e),c^ y-(e),p\ 
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^(e) _ y(e),p 

Fig. 1. A noiseless degraded broadcast channel with confidential rate R c 
and public rate R p . 
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for secrecy, where 

CfW= ^ 

ee£ ou ,(i) 

is the sum of the outgoing channel capacities from node 
i. Each TW is uniformly distributed on its alphabet and 
independent of all messages and channel noise. 
Definition 2: Let a network 
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be given corresponding to a graph Q = (V, £). A blocklength 
n solution S(ftf) is defined as a set of encoding functions 
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mapping ( Yf 5 , . . . , F^j , (W^ 8 ' : B G B (l) ), T< 1 



x T (i) — ► 



to 



X 4 for each i £ V and i G {1, . . . , n}, and a set of decoding 
functions 



mapping \Y^\ . . . , Yjp , {W^ B ^ : B G B w ) , T^j to 
W-tf-^.i) f or each j G V, /C G B^\ and i G /C. The 
solution S(Af) is called a (A, e, A, i?)-solution, denoted 
{\,e,A,R)-S(J\f), if Pr (w^'-^) ^ W^ K A < A for 

every j G V, /C G B w) and i G /C, and 7 ; W) < ne 

for every E e A. 

Definition 3: The A-secure rate region TZ(Af, A) C 
M™*- 2 1 ' ) of a network A/" is the closure of all rate vectors 
R such that for any A > and e > 0, a solution (A, e, A, R)— 
5 (A/) exists. 

Given a network AA and a channel e G £, the model 
Afe(R c ,Rp) replaces e with noiseless bit pipes as defined 
below and illustrated in Figure Q] 



Definition 4: Given a network 



AT=(H X [e \n \P (y {e) \ x(e) ) P { z[e) \v (e) 



e££ 

and some e £ £ , the model Af s (R c , R p ) replaces the degraded 
wiretap channel 

C g = (X^\p(y^\x^)p(z^\y^),y^ x Z&) 

with the noiseless degraded wiretap channel 

C(R C ,R P ) = ({0,1}*=+^,%^ - (s^y*)*)) 
<5(z (s) -i/(^),{0,l} Jle+fl » x {0,1}^) 

that delivers the rate-i? c confidential portion x^' c of channel 
input x^ e ' = (x^' c , x^ ,p ) to the intended receiver and the 
rate-i? p public portion x^' p of that input to both the intended 
receiver and eavesdropper. The resulting network is given by 

A4(i? c ,i?p)=({0,l}^x J] 

ee£\{e} 

S( y (t) - (x^' c ,x^' p ))d(z^ -y {s) ' p ) 

■ [] (P(y {e) \x {e) )-P(z (e) \y {e) )), 

ee£\{e} 

{0, l} R c+ R p x {0, 1} R " x (yW x Z^)). 

e££\{e} 

As in (HI, lO, we allow non-integer values of R c and i? p to 
denote noiseless bit pipes that require multiple channel uses 
to deliver some integer number of bits. 

Many of the subsequent proofs use the notion of a "stacked 
network" introduced in J4], (5), extended here by adding 
an eavesdropper. Informally, the A-fold stacked network Af_ 
contains N copies of network TV. The N copies of each node 
i 6 V use the outgoing messages and channel outputs from 
all N layers of the network to form the channel inputs in 
each layer of the stack. Likewise, each node uses the channel 
outputs and messages from all layers in the stack in building its 
message reconstructions. An eavesdropper E £ A overhears 
all copies of channel e for each e £ E. 

As defined formally below following |4j, 151 , a solution 
for A-fold stacked network Af must securely and reliably 
transmit, for each i £ V and B £ B^\ N independent 
messages . . . ,W (l ^ B) (N) from node i to all the 

receivers in set B. We underline the variable names from 
Af to denote variables for the stacked network Af_. Therefore 

w} 1 ^®) e >v (i ^ B) = (w^ B A N , T. (i) g t w = (r {t) ) N , 
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N 



and Z} t e) £ 

( "1 def / f \\ 

Z} e > = I Z^ e > j denote A-dimensional vectors of messages, 
channel inputs, channel outputs, and eavesdropper outputs, 
respectively, in network Af. The variables in the £ th layer of the 
stack are denoted by an argument £. Finally, we define the rate 



R (i^B) for a stacked network to be (log 2 \W {t ^ B) \)/(nN) 
since any solution of blocklength n for A-fold stacked net- 
work Af_ can be operated as a rate-i? solution of blocklength 
nN for network Af under this definition J4j Theorem 1]. 
A similar argument, given in Theorem Q] below, justifies 
the security constraint imposed below. Definitions are 
analogous to Definitions 4-6 in |4|. 



Definition 5: Let a network 
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be given corresponding to a graph Q = (V, £ ), and let an 
eavesdropper set A C P{£) be defined on network Af. Let 
Af be the A-fold stacked network for Af. A blocklength-n 
solution S(Af) to this network is defined as a set of encoding 
functions 
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, n}, and decoding 
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mapping 

r (i-s-K,i) 



to 



yv 

W;" for each j £ V, /C £ B^, and i £ /C. The 

solution S(AP) is called a (A, e, A, i?)-solution for stacked 



IT' 



(i->B) 
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network AA, denoted (A, e, A, R)-S(AP), if (^log 2 
(nN) = R^ B \ I {{z_ {E) Y ;W) < nNe for every E E A, 

and Pr (]£ ~ WC ' l) ^ fil ^^^ < * for the specified 
encoding and decoding functions. 

Definition 6: The A-secure rate region 7^(AA, A) C 
M™^ 2 of stacked network AT is the closure of all rate 

vectors R such that for any A > and any e > 0, a solution 
(A, e, A, R)-S(Af) exists for sufficiently large N. 



Definition 7: Let a network 



A^ f (n* (e) ,n(^( 



y (e V e) ) Pe 



(e)| y (e) 



be given corresponding to a graph Q = (V,£). Fix positive 
integers n and N as the blocklength and stack size, respec- 
tively. For each i £ V and B £ let i?(^ B ) and R^ B ^ 
be constants with fi^ B ) > R^^. Define PT/^^ 45 ' = 



{1,...,2 



} and ={!,..., 2 



'}. Let AT 



be the A-fold stacked network for Af. A blocklength-n stacked 



solution S(Af) to this network is defined as a set of mappings 
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where the other channel encoder 

>B)^ 



^ ) encodes mes- 
encoder (• ) in- 



sage W {l ^ B) to W (l ^ B) {W {i 
dependently encodes each dimension 
of outgoing messages w} 1 ~* , received channel outputs 



{!,•••, N} 



III. Main Results 

In Theorem [2] we show that for any network TV of wiretap 
channels and any edge e € £, replacing channel C s with a 
noiseless degraded wiretap channel of appropriate capacities 
R c and R p , as shown in FigureQ] yields a network TVg(i? c , R p ) 
(DefinitionlUi whose secure capacity region contains the secure 
capacity region of TV. Theorem [2] extends J5] Theorem 5] from 
traditional to secure capacity. 

Theorem 2: Consider a network TV and an adversarial set 
A C V{£). K(Af,A) C K{J\fe(R c ,Rp),A) for 

R c > max I(X&;Y&) - max I(X^;Z^) 

p(a;( e )) p(a:' e )) 



Hi 1 ' 1 1 ■ • ■ iYX-1' anc ^ random keys T w to channel input 

xf\Y^\i), . . . ,1^(0, (2^ ^ S) W:fi6 B W ),T (i) (*)) 

node decoder tyv'-^i*) (. ) independently decodes each di- 
mension of the reconstruction 



r(i) 



hannel de 



of ^ ' c) at node i, and channel decoder W U ~> K<i) (- ) 
reconstructs message vector W} - 

The following theorem extends (4] Theorem 2] from tradi- 
tional to secure capacity. 

Theorem 1: The rate regions 7Z(Af,A) and 7?.(TV, A) are 
identical. Further, for any R e int(7?.(TV, A)), there exists a 
sequence of (2^^, e, A. R)-S(Af) stacked solutions for the 
stacked network Af_ for some 5 > 0. 

Sketch of the proof: The argument to show lZ(At, A) C 
lZ(Af, A) follows JU Theorem 1]: given any R G 
int(ft(TV,A)), a blocklength-n (A,e,A,i?) - S(Af) solu- 
tion for network TV is unraveled across time to achieve a 
blocklength-niV solution for network TV. Since the given code 
satisfies the causality constraints and precisely implements the 
operations of S(Af_), the solution <S(TV) achieves the same 
rate, error probability, and secrecy on TV as the solution S(Af) 
achieves on TV, which gives the forward result. 

The converse follows Theorem 2], Again, fix e > 0, 
and for any R G mt(Tl(Af , A)) choose R G mt(1l(Af, A)) 
with > J?(^ B ) for all with P^* 5 ) > 0. 

Define p = miiiigy min Bg g(i) [R^ B ' 1 —R^ B ^ and choose 
constant A > satisfying 



R p > max I(X {s) ;Z {s) ). 

p(x( e )) 

Sketch of the proof: By Theorem Q] it suffices to prove 
K(At,A) C H(Af s (R c ,Rp),A). We employ a channel code 
across layers of the stack to emulate a secure code for network 
Af on network Afg(R Ci R p ). Typical inputs X_t to e are mapped 
to jointly typical outputs from a random codebook. It can be 
shown that the induced probability distribution p' is close to 
the probability distribution p of the original secure code for 
TV , and that mutual information values under both probability 
distributions are similar. The bits transmitted over the noiseless 
channel correspond to the codeword index, and thus reveal 
a similar amount of information to the wiretapper as its 
observations of the original noisy channel. □ 

Theorem [3] shows cases where the upper bound shown in 
Theorem |2] is tight. 

Theorem 3: Consider a network Af, an adversarial set A C 
V(£), and a single link e G £ . Let 



max max R^ 1 



>B ^\ + h{\) < p. 



This is possible by choosing A small enough so that A < pj 
(3max ig y maxg g g(i) R^®^) and h(X) < p/(3p). Since 
jjO->B) •> ^(»->B) > mere ex i s ts a blocklength n such that 
a (A, §,A R)-S(Af) single-layer solution exists. A stacked 
solution is built using this same (A, ^, A 1 R)— S(Af) single- 
layer solution in each layer and a randomly chosen channel 
code across the layers of the stack. □ 



R. c = max 7(X (e) ;F (e) ) - max I(X {S) ;Z {S) ) 

Rp = max I(X®:Z®). 

If e is invulnerable to wiretapping (e ^ E for all E E A) 
or is not simultaneously wiretapped with other links (e G E 
implies |£| = 1), then K(Af,A) = K(Af s {R c , R p ), A). 
Sketch of the proof: We outline the proof for the case where e 
is wiretapped but not simultaneously with other links; the case 
where it is invulnerable to wiretapping is a simpler version. 

We first show that K(Af g (R c -e,R p - e), A) C U{Af, A) 
for any e > 0, by starting with a secure code of rate R for 
network Afe(R c , Rp) and constructing a corresponding secure 
code for network Af. Denote by Ct and P t the transmissions 
across the confidential and public links, respectively, of edge 
e G £ at time t. Let C n = (d, . . . , C„), P™ = (Pi, . . . , P„) 
and denote by Cj and Pj for any j < i the vectors 

q = (Cj,C j+1 ,...,Ci) and P? = ;/ ; ; ./',., I'.u We 

define networks I and II shown in Figure [2] that are identical 
to networks Afe(R c , Rp) and TV respectively with the addition 
of an auxiliary receiver that observes the wiretap output of 
e, messages W and a noiseless side channel of capacity 
C s (defined below) from a "super-source" that has access 
to (W : C n ,P n ). In network I (II) the auxiliary receiver is 




Fig. 2. Network Afg{Rc, Rp) along with networks I, II and M that assist proving Theorem [5] 



required to decode the confidential bits C n . 

We construct a code for a stacked version of network I with 
N\ layers in which the auxiliary receiver is able to decode the 
confidential bits C n . The constructed coded for the stacked 
version of network I can be seen as a code of blocklength n\ = 
nNi for the non-stacked version of network I. To move the 
proof from network I to network II we use a stacked version 
of network II with N2 layers. The code used at each layer of 
the stacked version of network II is the code of blocklength 
n\ constructed above. We need to use a stacked version of 
network II to use a channel code at edge e of network II to 
emulate the noiseless edge e of network I. 

In the following we show that the communication code of 
network II gives a secure code of network M . These auxiliary 
receivers assist in the proof of the secrecy of the code for the 
eavesdropping set {e} G A in the following manner: capacity 
C g is defined such that the sum of capacities of (W, Z n , L") 
(where are the bits in the noiseless bit pipe of capacityCg) 
that are all the incoming links to the auxiliary receivers is 
almost equal to the entropy of (P™, C n ,W) that correspond 
to the decoded message at the auxiliary receivers and therefore 
all links are filled up to capacity. Therefore there is no spare 
capacity at links Z n to carry any information about message 
W and therefore the code is secure. 

On the other hand, the upper bound result in Theorem [2] 
implies that TZ(Af, A) C 1l(ke{Rc + e 1 R p + e), A) for any 
e > 0. We then prove a continuity result on the rate region 
1Z(AfeXRc, R P ), A) with respect to (R c , R p ) when R c > and 



R p > 0. The lower bound result, the upper bound result, and 
the continuity result together prove Theorem [3] □ 

Example [T] demonstrates applications of Theorem |2] and [5] 
and shows that while Theorem [2] is tight in many cases, it 
is not always tight when the replaced link appears in one or 
more eavesdropping sets of size greater than 1. 

Example 1: In the network of Figure |3(a)| channels e\ = 
(1, 2, 1), e 2 = (1, 4, 1), e 3 = (1, 3, 1), e 4 = (4, 2, 1), and e 5 = 
(4, 3, 1) are independent degraded binary wiretap channels. 
Channels e\ and have erasure probability at each intended 
receiver and erasure probability ^ at each wiretap output, as 
shown in Figure |3(e)| Channels e 2 , e^, and es have erasure 
probability i, with identical outputs for their intended and 
eavesdropped outputs, as shown in Figure |3(f)| We consider 
a single multicast from source S at node 1 to terminals 71 
and T2 at nodes 2 and 3. We therefore set = for all 

(i, B) ^ (1, {2, 3}) and then consider the point R G 1Z(J\f, A) 
that maximizes i?' 1 ^^ 2 ' 3 ^. The eavesdropper can listen in on 
either both e\ and e 3 or just e-2, i.e., A = {{ei, 63}, {e2}}. 
The network Jv shown in Figure |3(b)| has secrecy capacity 
under adversarial set A = {{ei, 63}, {e2}} identical to that 
of the network in Figure [3(a)] (U(Af, A) = K(J\f, A)) and is 
obtained by three applications of Theorem|2] Here channel C ei 
and C es have been replaced by channel C(i, 0) since channels 
e 4 and e$ are invulnerable to eavesdropping (e4,e$ ^ E for 
all E G A). Likewise C e2 has been replaced by C(0, 5) since 
e 2 cannot be simultaneously eavesdropped with any other 
channel {e^ G E implies \E\ = 1) and has confidential 




Fig. 3. (a) The network for Example [TJ and (b) its equivalent model by replacing channels ei, e4, and es by their equivalent noiseless links by Theorem[3] 
(rate-0 links are omitted from the model), (c) The noiseless model of (a) by applying Theorem[2]and (d) the secrecy capacity achieving code for the network 
in (c). (e), (f) The channel distributions for independent degraded wiretap channels ei, e$ and e2, e4, e$ respectively. 



bits. The noiseless network Af is an upper bounding model 
for the network in Figure |3(b)| (and therefore also an up- 
per bounding model for the network in Figure |3(a)| giving 
1l{Af, A) = K(Af, A) C K(Af, A)), and is obtained by two 
applications of Theorem |2] replacing channels e\ and ez by 
their upper bounding models. 

A rate-1 blocklength-2 code for network Af is shown in 
Figure [3(d)] The message W^^ 2 ' 3 ^ G {0, l} 2 is broken into 
a pair of messages W^*- 2 ' 3 ^ = (Wi,W 2 ) G {0,1} 2 with 
H(Wi) = H(W 2 ) = 1 and H{W U W 2 ) = 2. Random key 
K\ G {0, 1} is chosen uniformly at random and independently 
of (Wi,W 2 ). The code is secure since I(Wi, W 2 ; K\) = 
and l(Wi, W 2 ; W 2 + K\ \ = 0. In lt6l we prove using infor- 
mation inequalities that the noisy network Af of Figure |3(a)| 
has multicast secrecy capacity at most 0.875. 

To provide some intuition, notice that our capacity- 
achieving code for Af transmits the same key over a pair of 
noiseless links (ei and in AT). Direct emulation of this 
solution in Af network in Figure [3(a)| fails to maintain security. 
Specifically, if the same input is transmitted over channels 



ei and e 3 {X\ ei) = x\ es) for all t G {l,...,n}), then 
an eavesdropper accessing E = {ei,e3} sees independent 
channel outputs Z t and z[ e3 ^ resulting from the same 
channel input X\ e ^ = x[ e ^ at each time t. Since each 
transmitted bit is erased with probability i and the erasure 
events are independent by assumption, an eavesdropper that 
wiretaps both ei and is expected to receive roughly 75% 
of the transmitted information bits. Consequently, a key of rate 
0.5 is not enough to completely protect VK' 1 ^ 2,3 ^- 1 from the 
eavesdropper in this case. The problem here is that transmitting 
correlated information on multiple channels may be necessary 
to achieve the secure capacity in the noiseless case, but the 
same strategy may fail in the noisy case owing to independent 
realizations of probabilistic noise on different channels. 

Theorems |4] and [5] provide two different lower bounds 
for the case of multiple wiretapped channels. These bounds 
correspond to achievable schemes that ensure all links to the 
eavesdropper are filled to capacity with independent random- 
ness. 




A = {{ei, e 2 }, {e L e 3 }, {e 2 , e 3 }} 

Fig. 4. An example wiretap network for which lower bound model-II is not 
tight but lower bound model-II is tight. 

Lower bound model-I. The first lower bound results from 
removing the public portion of the upper bounding model. The 
lower bound is achievable since it is always possible to simply 
avoid the transmission of any rate on channel e that can be 
overheard by the eavesdropper. 

Theorem 4: Consider a network Af, an adversarial set A C 
V{£), and a single link e G £ . K(Af s {R c ,Q),A) C U(Af, A) 
for 

R c < max I(X {S) ;Y {S) ) - max 

p(a;t e )) p(a;( e )) 

Sketch of the proof: The proof of this theorem is similar to 
the proof of Theorem [3] except that in the noisy network we 
transmit independent random bits in place of public bits. □ 

The lower bound model-I of Theorem [4] is not tight in 
general. As a result, we do not use it to bound all channels but 
instead apply it to a selective sequence of channels from £. 
Notice that the model C s {Rc, 0) for channel C s in TheoremH] 
sets the public rate R p to zero. This effectively removes e from 
all eavesdropping sets E G A, giving a new adversarial set 
A 1 = {E\{e} : E G A}. Repeated application of Theorem [4] 
on a carefully chosen sequence of channels enable us to 
reduce all eavesdropping sets to size at most one. Once this is 
accomplished, we can use the equivalence result of Theorem[3] 
to replace the remaining noisy channels. 

To show that lower bound model-I is not tight, con- 
sider the network of Figure |U where each i in {1,2,3}, 
m&xI(Yi; Xi) = 2 and m&xI(Zi; Xj) = 1, The adversary 
can eavesdrop any two of {e\ : e2,e^\. Since for each link in 
{ei,e2,es} the confidential capacity is 1, and the public rate 
on two of the three links must be set to zero, the capacity of 
lower bound model-I is 3. In the following we introduce lower 
bound model-II, using which we get a tighter lower bound, 4, 
for this network. 

Lower bound model-II. In this model we bound the secrecy 
capacity region of network Af with adversarial set A C V{£) 
by deriving a relationship with the traditional capacity of 
a noiseless communication network called the ^4-enhanced 
network Af(A) defined below and illustrated by Figure 

Definition 8: Consider network Af on graph Q = (V,£). 
Define rate vector R cp = ((i? e .c, Re,p) '■ e £ £), an d 



U,I my E 

Fig. 5. The A-enhanced network Af(A). 

fix an adversarial set A C V{£). The A-enhanced network 
Af(R c . p , A) on graph Q = (V,£) is defined as follows: 

1) V = V U {vi : i G V} U : i G V} U {v E : E G A} U 
{vt}- For each i G V we call Vi and Vi the i th message 
node and random key node of network M(R C , P , A). For 
each E G A, node ve is called an eavesdropper node. 
Node vt is called the overall key node. 

2) £ = {hi : i G V} U {h : i G V} U {C e : e G £} U {h e : 
e G £} U {(v T ,v E ,l) -EE A). 

For each i G V, hi is a noiseless hyperarc of capacity 
(or alternatively a set of bit pipes each of capacity C' 1 ') from 
node Vi to all of the nodes in {«} U {ve '■ E G A}, and hi is 
a noiseless hyperarc also of capacity (or alternatively a 
pair of bit pipes each of capacity C^) from node to both 
of the nodes in {i,vt}, where is defined in (Q~|) as the 
sum of the outgoing channel capacities from node i. 

For each e = (i,j,k) G £, channel C e in network is a bit 
pipe of capacity R e c from node i to node j, and hyperarc h e 
is a noiseless hyperarc of capacity R &:P from node i to all of 
the nodes in {j} U {ve '■ E G A, e G E}. For every E G A 
channel C(„ T;1 , Bi x) is noiseless bit pipe of capacity 

ieV e£E 

from node vt to node ve- 

The A-enhanced network is used for traditional (rather than 
secure) communication with a collection of reconstruction 
constraints that depend on both Af and A. 

Definition 9: Let Af(R CyP , A) be the A-enhanced network 
for network Af and adversarial set A C V{£). A blocklength- 
n solution S(Af(R c , P , A)) to network Af(R c , P , A) is defined 
as a set of encoding functions for each node v in V 

(jW)" : (y^y*- 1 x (w^ir 1 x (r^yr 1 — > (^ (, ' ) ) ri 

and decoding functions 

(ffW) B : x (W'"')?- 1 x (r^)^ 1 — > (W (t,) ) 

(T(«)) n : x (w'"'); -1 x (r^^r 1 — > (r (t,) ). 

such that for each i G V and i3 G £>^, message W r ^* _J ' B ' 
from node Vi is delivered to all of the nodes in B G 
where is the receivers set for node i G V in network A/", 



and random keys TW g 7"( l ) = {1, . . . , 2" c(l) } are delivered 
from node Vi to nodes {ve ■ E E ^4}. 

Definition 10: The rate region 1Z(Af(R c>p , A)) C 
K m(2™- 1 -i) of thg ^. enhanced networ k Af(R c>p ,A) of 
network A/" is the closure of all rate vectors R such that for 
any A > 0, a solution (A, R)-S(Af(R c . p , A)) exists. 

Theorem 5: Consider network Af on graph Q = (V, £ ) and 
an adversarial set A C P(£). Let Af(R CiP ,A) be the A- 
enhanced network of network Af. If for every e G £ 

R e , p < max/pf (e) ;Z (e) ) 

P(z) 

— max 

p(x) p(x) 

then 1Z(Af(R c , p , A)) C n{Af,A). 

Sketch of the proof: We start with a code for network 
Af(R c , P , A) and we will construct a secure code for network 
Af. We make use of an auxiliary network I which is the same 
as the A-enhanced network except that the noiseless bit pipes 
in{C e : e E £}u{h e : e E £} are changed back to the original 
noisy channels. We show that we can emulate the given code 
on network I such that the auxiliary receivers are still able 
to decode the required messages. Since the total capacity of 
all incoming links to the auxiliary receivers is almost equal 
to the entropy of (P n ,C™, W, {Z E \^) n ), there is no spare 
capacity at links ((Z E ^ e ^) n , Z n ) to carry any information 
about message W and this corresponds to a secure code for 
network Af. □ 

Unlike the rest of the results, where changing a single wire- 
tap channel C s to its noiseless counterpart C s (R c ,Rp) results 
in an equivalent or bounding network, Theorem [5] requires 
all wiretap channels in the noisy network Af to be changed 
to noiseless channels in order to obtain a lower bounding 
network. Intuitively, this is because our construction requires 
the eavesdropper E G A to decode all sources of randomness 
in the network, which is not possible generally for noisy 
networks where the entropy of the noise can be potentially 
infinite. If we wish to replace only some noisy channels by 
their noiseless counterparts then Theorem [4] should be used. 
When all channels are to be replaced Theorem [5] can be used, 
potentially leading to a tighter bound. 

For example, we consider the network in Figure H where 
model-I gives a lower bound of 3. Here, we show that 
lower bound model-II gives a tighter lower bound, 4. The 
A-enhanced network is shown in Figure [6] For simplic- 
ity, we combine the three direct links (with capacity 1) 
from S to R into a single link with capacity 3. The fol- 
lowing code achieves rate (Rw,Rt) = (4,6) in the A- 
enhanced network. Let W = {Wi,...,Wa} and T = 
{Ti,...,Tq}. The outgoing link of S with capacity 3 di- 
rectly delivers {Wi, W2, W3} to R. Each of other outgoing 
links of S transmits a linearly independent combination of 
{W 4 ,T 5 ,T 6 }. Node V s transmits {Ti, T 2 , T 3 , T 4 } to each of 
{V{i,2},V {1 ,3},V{2,3}}- Node {V s } transmits {Wi,...,W 4 } 
to each of {V^ 2 }, ^{1,3}) ^{2. 3}}- R can decode W4 from the 
three linearly independent combinations of {W4,T$,Tq}. At 




Fig. 6. The A-enhanced network for the network in Figure f4] The number 
on top of each link represents the link capacity. 

y {lj2}> messages T 2 , T 3 , T 4 } and {Wi, W 2 , W 3 , W 4 } are 
directly received from Vs and Vg, respectively. By using W4 
and two linearly independent combinations of {W^^T^^Tq], 
node V{i,2} can decode {T^,Tq}. ^{1,3}, ^{2,3} decode simi- 
larly. 

Acknowledgments 

This work has been supported in part by NSF grants CNS 
0905615, CCF 0830666, and CCF 1017632. 

References 

[1] A. Wyner, "The wire-tap channel," Bell Systems Technical Journal, 

vol. 54, no. 8, pp. 1355-1387, Oct. 1975. 
[2] N. Cai and R. W. Yeung, "Secure network coding," in Proc. 2002 

IEEE Int. Symp. Information Theory (ISIT 2002), Lausanne, Switzerland, 

Jun./Jul. 2002, p. 323. 
[3] A. Mills, B. Smith, T. Clancy, E. Soljanin, and S. Vishwanath, "On secure 

communication over wireless erasure networks," in Proc. of IEEE ISIT, 

July 2008, pp. 161-165. 
[4] R. Koetter, M. Effros, and M. Medard, "A Theory of Network 

Equivalence-Part I: Point-to-Point Channels," Information Theory, IEEE 

Transactions on, vol. 57, no. 2, pp. 972 -995, February 2011. 

[5] , "A theory of network equivalence, Part II: Multiterminal Channels." 

[6] T. Dikaliotis, H. Yao, T. Ho, M. Effros, and J. Kliewer, "Network 

equivalence in the presence of an eavesdropper," 2012. [Online]. 

Available: http://www.its. caltech.edu/$\sim$tho/eav-equi.pdf 
[7] Leung- Yan-Cheong and M. S. Hellman, "The wire-tap channel," Infor- 
mation Theory, IEEE Transactions on, vol. 24, no. 4, pp. 45 1—456, Jul. 

1978. 

[8] Y. Liang, H. V. Poor, and S. Shamai, "Secure communication over fading 
channels," Information Theory, IEEE Transactions on, vol. 54, no. 4, pp. 
2470-2492, June 2008. 



